Identity verification methods related to authenticating and/or verifying users for access to secured systems are well known. One such method involves assigning a password to a user. When the user desires access to the secured system, the user inputs his or her ID and password to the system. The system confirms that the input password corresponds to the stored user ID and enables user access to the system. An enhanced version of this security technology is known as one-time password (OTP) authentication. OTP authentication uses a password that is transitory and only valid for a single use such that once used, the OTP is not valid for later access. The OTP may be time-based or event-based. Thus, even if the OTP is fraudulently obtained, the possibility that it can be used to gain access to a system is very limited.
The OTP is typically generated by a token possessed by the user and is input to an authentication system. The token may exist only to provide the OTP functionality, or the token may be embedded in some other device that provides additional functions. The input OTP is compared to an OTP generated by the system using the same information and encryption algorithm as is used by the token. If the input OTP matches the OTP generated at by the system, the user is allowed access to the system. Recently, services have been offered by information security technology vendors in which an OTP is sent to a user via a mobile device when needed, such as by short message service (“SMS”) over a cellular telephone. With such a system, the user does not need to carry the token, but can simply use his or her mobile phone, which he or she may carry anyway, to provide the OTP function.